On Tue, Nov 9, 2010 at 10:17 AM, Michael Hausenblas
<michael.hausenblas@deri.org> wrote:
>
>> Thanks for pointing us at
>> http://river.styx.org/ww/2010/10/corscheck
>> - it's very interesting.
>
> You're welcome ;)
>
>> CORS hasn't even gone to last call yet, so I hope people aren't
>> getting too accustomed to it in its draft form. Might be better for
>> people to wait until CR.
>
> True. Nevertheless we're trying to establish it (at least) for Linked Data,
> see http://enable-cors.org/ ...
Blah. The Web has a long history of premature adoption meaning that
specs (or undocumented designs) end up getting no expert review - and
this one in particular has not had adequate security review. If there
are any W3C members involved in promoting production deployment of a
working draft, they ought to be ... um ... sorry, can't figure out a
polite way to end that sentence. I'm going to pretend I didn't read
the personnel list at the bottom.
According to the process document, CR means: "W3C believes the
technical report is stable and appropriate for implementation." By
implicature, one might say that for a pre-CR draft, especially a
pre-LC draft, "W3C believes the technical report is NOT stable and
appropriate for implementation."
At the very least I urge the authors of the enable-cors.org page to
include a disclaimer to the effect that CORS is not stable or
appropriate for implementation, and has not received expert review.
Then at least any potential adopter will be fully informed. Maybe one
of them is reading this message?
I wonder if UMP, which is much simpler than full CORS and more
obviously safe, could be pushed to CR quickly? That's all you need for
linked data, anyhow.
Jonathan